The British government plans to extend data protection laws to increase consumer rights and create new crimes

The British government will publish a "statement of intent" to strengthen data protection laws, giving people the right to have their personal data deleted. Organizations that can't or won't delete data, or fail to report security breaches, can be fined up to £17 million or up to 4 percent of their global turnover.

Members of Parliament in London will debate an EU-compatible data protection bill in September.

Photo: Jack Schofield

The British government says it will publish a "statement of intent" today (Monday 7 August) covering its plans to strengthen the UK's data protection law. It aims to improve consumer rights, and will create some new criminal offences "to deter organizations from either intentionally or recklessly creating situations where someone could be identified from anonymized data".

Many of the changes were inevitable, because the British government is obliged to bring the European Union's General Data Protection Regulation (GDPR) into UK law.

However, the government said in a statement that it had "successfully negotiated to be able to make modifications to the GDPR to make it work for the benefit of the UK and the Bill will legislate for these changes. It will apply new data protection standards to all general data, not just areas covered by EU law."

The government claims that its new Data Protection Bill will:

make it simpler for users to withdraw consent for the use of personal data;

allow people to ask for their personal data held by companies to be erased;

enable parents and guardians to give consent for their child's data to be used;

expand the definition of 'personal data' to include IP addresses, internet cookies and DNA;

update and strengthen data protection law to reflect the changing nature and scope of the digital economy;

make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;

make it easier for customers to move data between service providers.

Requiring companies and organizations to delete personal data implements "the right to be forgotten". The government says it will mean that "people can ask social media channels to delete information they posted in their childhood".

The requirement for "explicit consent" will mean that organizations cannot rely on defaults or "pre-selected 'tick boxes'."

The Information Commissioner's Office (ICO) will be able to fine organizations up to £17 million (€20m) or 4 percent of their global turnover for serious data breaches. The previous maximum fine was £0.5m.

The Department for Digital, Culture, Media and Sport (DCMS) is planning to introduce the Bill in September, when the House reopens after its summer break. It has to move quickly because GDPR comes into force on May 25, 2018.

British law will have to be compatible with the GDPR even if, or when, the UK leaves the EU.

Several aspects of the GDPR will make life difficult for businesses. One is the requirement to identify and report the loss of personal data - including email addresses and passwords - within 72 hours. Another is the requirement to find and delete personal data on request. This data may be spread across several databases, which were designed for different purposes.

The organizations that have to change their systems to meet these requirements now have less than 10 months to do it.

Matt Hancock, Minister of State for Digital said: "Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account."